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Abstract 

Our  research  group  has  been  broadly  studying  the  use  of  deliberate  deception  by  software 
to  foil  attacks  on  information  systems.  This  can  provide  a  second  line  of  defense  when 
access  controls  have  been  breached  or  against  insider  attacks.  The  thousands  of  new 
attacks  being  discovered  every  year  that  subvert  access  controls  say  that  such  a  second 
line  of  defense  is  desperately  needed.  We  have  developed  a  number  of  demonstration 
systems,  including  a  fake  directory  system  intended  to  waste  the  time  of  spies,  a  Web 
information  resource  that  delays  suspicious  requests,  a  modified  file-download  utility  that 
pretends  to  succumb  to  a  buffer  overflow,  and  a  tool  for  systematically  modifying  an 
operating  system  to  insert  deceptive  responses.  We  are  also  developing  an  associated 
theory  of  deception  that  can  be  used  to  analyze  and  create  offensive  and  defensive 
deceptions,  with  especial  attention  to  reasoning  about  time  using  temporal  logic.  We 
conclude  with  some  discussion  of  the  legal  implications  of  deception  by  computers. 

A  theory  of  deception  in  information  systems 

Deception  is  a  key  feature  of  human  social  interaction  not  much  studied  in  either 
information  security  or  artificial  intelligence.  In  one  part  of  our  project,  we  are 
developing  testable  computational  models  of  deception  including  the  major  sub¬ 
phenomena  or  trust,  expectation,  suspicion,  surprise,  deception  plans,  and  manufactured 
patterns  (Bell  &  Whaley,  1991).  Such  a  theory  can  be  used  to  explain  both  offensive 
deceptions  (to  gain  some  advantage)  and  defensive  deceptions  (to  foil  someone  else's 
plans).  Defensive  deception  could  fool  attackers  into  thinking  our  systems  are  not  worthy 
of  attack,  or  thinking  incorrectly  they  have  hurt  us.  It  can  be  very  convincing  because 
people  expect  computer  systems  to  be  obedient  servants.  Paradoxically,  deception 
against  bad  people  can  increase  the  trust  level  of  good  people,  much  like  how  an 
inquisitive  police  force  increases  social  trust.  Deceptions  can  also  produce  useful  side 
effects  like  identification  of  the  attacker  by  planting  phone  numbers  we  can  trace  or 
installing  "spyware"  on  the  attacker  that  will  report  their  activities. 

Producing  a  convincing  defensive  deception  requires  careful  planning  because  people  can 
easily  recognize  patterns  suggesting  it.  So  deception  needs  to  be  applied  sparingly  and 
thoughtfully  based  on  a  theory  of  trust  and  "suspiciousness"  and  its  psychological 
consequences  (Miller  &  Stiff,  1993).  We  are  exploring  applying  it  in  two  different  ways. 
One  will  use  a  theory  of  "generic  excuses"  that  will  frustrate  the  attacker  but  appear  to  be 
highly  plausible.  The  other  way  will  use  a  theory  of  "counterplanning"  that  will  frustrate 
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the  attacker  in  highly  effective  but  hard-to-notice  ways.  Counterplanning  can  make  use 
of  artificial-intelligence  planning  research  but  has  unique  issues  too. 

We  must  be  careful  not  to  apply  deceptions  to  non-malicious  users  who  accidentally  act 
suspicious;  thus  intrusion-detection  systems  need  to  search  for  consistent  patterns  in 
lower  levels  of  suspiciousness,  a  different  set  of  criteria  than  employed  today.  Deception 
also  raises  ethical  issues  to  be  explored.  In  general,  deception  is  judged  ethical  against 
serious  consequences  (e.g.  destruction  of  a  computer  system  in  an  attack)  which  may 
apply  to  cyberterrorism  (Tan,  2003). 

One  part  of  our  research  on  the  theory  of  deception  (Rowe  and  Rothstein,  2004)  looked  at 
the  classic  deception  methods  of  conventional  warfare:  concealment,  camouflage,  ruses, 
demonstrations,  feints,  false  and  planted  information,  lies,  displays;  and  insight.  Of  the 
nine,  concealment  and  camouflage  of  operations  (as  opposed  to  data)  are  difficult  in 
cyberspace  since  so  much  of  it  is  black  and  white:  Either  a  file  exists  or  not.  Then 
domain  name  servers  are  quite  willing  to  tell  adversaries  about  what  resources  exist. 

Ruses  are  not  helpful  in  cyberwarfare  because  identity  theft  is  easy  and  lacks  surprise. 
Demonstrations  are  hard  to  make  convincing  and  likely  counterproductive  since  shows  of 
strength  encourage  attacks  which  cannot  be  defended.  Feints  are  not  helpful  because  it  is 
so  difficult  to  localize  an  enemy  for  a  counterattack  in  cyberspace.  False  and  planted 
information  such  as  posting  fake  attack  methods  on  hacker  bulletin  boards  is  certainly 
possible,  but  it  may  turn  out  to  be  easy  to  confirm  most  statements  about  cyberspace  with 
sufficient  time. 

This  leaves  lies,  displays,  and  insights  as  potential  defensive  tactics.  Moreover,  they  are 
powerful  tactics  just  beginning  to  be  explored.  Outright  lies  by  an  information  system 
can  be  effective  because  users  are  so  accustomed  to  truth  from  their  systems.  The  system 
could  lie  about  completing  a  download  of  a  suspicious  file  or  give  a  false  excuse  as  to 
why  it  cannot.  Or  lies  could  be  integrated  into  an  overall  "display"  for  the  attacker.  An 
example  would  be  simulating  an  infection  by  a  virus  while  actually  destroying  the 
infection.  "Insights"  would  be  the  next  step,  where  a  set  of  lies  and  displays  could  be 
integrated  into  an  overall  defensive  strategy  designed  to  cause  the  attacker  the  maximum 
amount  of  trouble,  using  methods  from  artificial  intelligence.  (Cohen,  1999)  gives  an 
interesting  further  taxonomy  of  deception  methods. 

Implementation  of  automatic  deceptions  and  deception  planning 

We  have  implemented  several  demonstration  systems  for  deceptive  software.  One  was  a 
Web  browser  that  delays  answering  requests  when  it  suspects  it  is  under  attack  (Julian  et 
al,  2003).  Another  was  a  file-transfer  utility  that  pretends  to  succumb  to  a  well-known 
buffer-overflow  attack  (Michael,  Fragkos,  and  Auguston,  2003). 

Another  was  a  demonstration  Web  site  including  a  number  of  deceptive  practices.  The 
site  looks  like  a  file  directory  hierarchy  (see  Figure  1);  users  can  click  on  names  of 
directories  to  see  subfiles  and  subdirectories  with  fake  dates  and  sizes,  and  can  click  on 
names  of  files  to  see  captioned  image  data.  Some  of  the  files  appear  to  be  encrypted  like 


that  on  the  top  right  of  Figure  1 .  Authorization  errors  are  issued  for  some  other  files,  and 
loading  time  is  proportional  to  the  listed  number  of  bytes  of  the  file  but  is  exaggerated. 
However,  the  directories  and  files  are  all  fake:  Names  are  chosen  randomly  from  a  list  of 
all  the  Web  page  names  at  our  school,  and  contents  of  the  accessible  and  readable  files 
are  generated  by  randomly  choosing  a  picture  and  its  caption  from  a  school  Web  page. 
The  picture  at  the  bottom  of  Figure  1  was  allegedly  the  file  /root/Code05/WAT/policy/ 
01d_pages/23_AdvancesNonPhotoRealisticRendering/Locations/NavalPostgraduate 
School/images/aries_thumbnail.html,  which  suggests  that  this  Aries  vehicle  has 
something  to  do  with  photographic  rendering,  policy,  and  wide-area  timesharing,  none  of 
which  is  true.  The  site  functions  as  a  kind  of  "honeypof '  for  spies,  encouraging  them  to 
find  spurious  connections  between  seemingly  meaningful  things,  while  the  encryption 
and  the  authorization  errors  suggest  hidden  secrets. 

We  also  implemented  a  software  tool  MECOUNTER  (Rowe,  2003)  to  systematically 
"counterplan"  (Carbonell,  1981)  or  find  ways  to  foil  a  computer-system  attack  plan.  This 
work  is  built  on  previous  research  in  automated  planning  from  constraints,  and  exploits  a 
hierarchical  and  probabilistic  attack  model.  The  model  has  two  agents  with  different 
goals,  an  attacker  and  a  computer  system.  To  test  our  counterplanning,  we  tested  it  on  a 
particular  model  we  built  for  attacks  that  use  buffer  overflows  to  install  rootkits.  This 
model  is  of  a  sufficiently  high  level  to  ignore  details  that  change  frequently  between 
attacks  such  as  the  particular  buffer-overflow  method,  but  detailed  enough  to  capture 
most  details  of  situation-independent  behavior.  It  models  nineteen  action  types  which 
can  be  instantiated  to  ninety-three  distinct  actions.  The  specifications  cover  a  possible 
1 1 5  distinct  facts  (and  their  1 1 5  negations)  in  states,  preconditions,  and  goals,  and  allow 
for  thirteen  categories  of  random  occurrences  with  actions.  We  defined  for  it  3072  test 
starting  states  for  the  goals  of  installing  a  rootkit  on  a  system,  installing  gimmicked  port- 
management  software,  and  logging  out.  When  no  complicating  random  events  occur, 
forty-eight  steps  are  sufficient  to  achieve  the  goal  from  the  most  complex  start  state. 

Our  approach  to  counterplanning  is  to  first  find  all  possible  atomic  "ploys"  that  can 
interfere  with  the  plan.  Ploys  are  simple  deceits  the  operating  system  can  perform  such 
as  lying  about  the  status  of  a  file.  We  analyze  ploys  as  to  the  degree  of  difficulty  they 
cause  to  the  attack  plan  wherever  they  can  be  applied.  This  is  more  complex  than  it 
seems  because  ploys  may  necessitate  changes  to  more  than  one  fact  simultaneously.  For 
instance,  if  we  add  a  fact  that  a  file  F  on  site  S  is  compressed,  we  must  add  the  fact  that  F 
is  on  S  if  that  fact  is  not  asserted  already.  So  for  any  proposed  deletion  or  addition  of  a 
fact  to  a  state,  we  must  detennine  all  implied  facts  and  implied  negations  of  facts.  We 
can  infer  that  A  implies  B  if  whenever  A  occurs  in  a  state,  B  also  occurs.  We  can  infer 
that  A  implies  not(B)  if  whenever  A  occurs  in  a  state,  B  does  not  occur.  Such 
implications  obey  transitivity  (if  A  implies  B  and  B  implies  C,  A  implies  C)  and 
contrapositivity  (if  A  implies  B,  then  not(B)  implies  not(A))  which  reduces  their  required 
number.  As  an  aid  to  designers  of  deception  strategies,  we  have  a  tool  program  that 
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12/24/00  11:44  <DIR> 
12/14/91  21:56  <DR> 
05/02/01  06  14  <DIR> 
02/23/02  23  39  17 
09/25/95  0341  <DIR> 
05/03/95  23  27  <DIR> 
11/04/94  10:40  114 
12/24/98  12:25  <DIR> 
08/02/96  11:49  <DIR> 
05/01/96  02:04  <DIR> 
03/09/94  22:36  <DIR> 
1 1/13/96  21  50  89 
07/28/94  04  52 
04/01/96  16  20  <DIR> 
12/26/93  20:49  <DIR> 
12/12/01  16:21  24 
08/16/00  10:22  <DR> 
08/12/00  15:10  104 
08/27/00  20:46  <DIR> 
05/00/96  20:38  <DIR> 
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Figure  1:  Example  from  the  fake  file  directory  deception. 
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examines  the  states  resulting  from  a  set  of  simulation  runs  of  the  planner  and  suggests 
implications. 


Several  principles  then  can  be  used  to  prune  possible  ploys.  It  makes  no  sense  to  apply  a 
ploy  to  a  state  if  the  ploy  is  a  normal  plan  action  for  that  state.  Facts  added  by  a  ploy  that 
are  already  true  in  a  state,  or  facts  deleted  by  a  ploy  that  are  already  false  in  a  state,  can 
be  ignored  to  simplify  the  ploy  (or  eliminate  it  if  all  changes  are  removed).  It  is  not 
generally  possible  to  delete  mental  consequences  of  actions  (such  as  human  knowledge  of 
particular  vulnerability),  though  strong  efforts  at  disinformation  can  sometimes  work.  It 
makes  no  sense  to  delete,  add,  or  change  an  order  with  a  ploy  since  computers  are  should 
be  agents  of  human  needs  and  this  kind  of  deception  is  easily  apparent.  Similarly,  it 
makes  no  sense  to  delete  a  report  since  a  human  is  expecting  that  report.  But  false  reports 
are  useful  ploys,  either  events  that  never  occurred  (like  reporting  that  the  network 
crashed)  or  events  that  occurred  differently  (like  reporting  that  the  network  is  slow  when 
it  is  not);  false  reports  eventually  cause  precondition  violations  and  failure  during 
execution  of  actions.  We  assume  a  false  report  must  relate  to  a  precondition  or 
postcondition  of  the  preceding  action.  For  our  rootkit-installation  example  after  pruning, 
we  found  588  implications,  16  fact-deletion  ploys,  28  fact-addition  ploys,  and  16  ploys 
with  both  fact  deletion  and  addition. 

We  then  fonnulate  a  counterplan  by  selecting  the  most  cost-effective  set  of  ploys  and 
assign  appropriate  presentation  methods  for  them,  taking  into  account  the  likelihood  that, 
if  we  are  not  careful,  the  attacker  will  realize  they  are  being  deceived  and  will  terminate 
our  game  with  them.  The  counterplan  can  be  accomplished  by  a  modified  operating 
system.  An  exhaustive  approach  to  finding  the  best  ploys  for  the  counterplan  is  to 
systematically  consider  each  one  for  each  state,  an  analogy  to  approximating  partial 
derivatives  of  a  cost  function.  The  most  troublesome  ploy-state  combinations  for  the 
attacker  can  be  executed.  However,  much  of  this  exhaustive  analysis  is  unnecessary.  We 
can  collapse  analysis  of  identical  states  in  different  runs,  building  a  Markov  state  model 
with  state-transition  probabilities.  State  equivalence  can  be  qualitative  to  further  reduce 
the  possibilities.  We  ran  our  rootkit-installation  model  500  times  (in  about  700  minutes) 
with  random  starting  states  drawn  from  the  set  of  3072,  the  defined  random 
postconditions,  and  durations  defined  by  probability  distributions  (allowing  that  attacker 
and  system  can  work  in  parallel)  to  get  10,276  distinct  states  in  21,720  total  states,  which 
cut  our  work  in  half. 

A  second  efficiency  idea  is  to  infer  good  ploys  from  similar  situations  using  inheritance 
and  inheritance-like  rules.  We  devised  useful  rules  for  "backward  temporal  suitability 
inheritance",  "downward  fixplan  inheritance",  and  "ploy  fixplan  following".  For  our  full 
example  of  rootkit  installation  with  500  simulation  runs,  there  were  70  ploys  for  the 
10,276  possible  states,  providing  616,560  ploy-to-state  match  possibilities.  Only  19,1 12 
of  these  were  needed  for  initial  analysis,  and  temporal  inheritance  expanded  this  to 
104,971.  Of  these,  only  18,835  (3.0%)  were  found  meaningful  and  damaging  to  the 
attacker.  (The  average  fixplan  needed  6.6  steps  to  return  the  attacker  to  a  known  state.) 
Combining  this  data  with  the  benefits  of  the  Markov  model,  we  reduced  our 


counterplanning  effort  to  1 .4%  of  the  cost  of  an  exhaustive  test  of  changes  to  the 
simulation,  without  eliminating  any  useful  possibilities. 


After  promising  ploys  and  their  best  times  of  application  to  the  plan  have  been  computed, 
we  must  choose  a  good  set  of  them  to  comprise  the  counterplan.  Our  benefit  metric  must 
reflect  the  results  of  numerous  "red  team"  experiments  that  showed  that  well-trained  and 
determined  attackers  usually  eventually  gained  control  of  target  computer  systems.  So 
our  only  realistic  objective  is  to  delay  the  attacker  maximally.  But  we  cannot  just  do  this 
by  implementing  every  ploy  every  time  because  the  more  ploys  we  use,  the  more  likely 
the  attacker  will  suspect  they  are  being  fooled.  Then  the  more  likely  the  attacker  will 
give  up  and  log  off,  and  we  cannot  then  delay  them  further.  The  simplest  acceptable 
model  of  the  expected  benefit  due  to  ploy  i  at  state  j  in  a  counterplan  we  found  was: 
kjgjeicij  ((1  +  p)mij  -  /?)/((  1  -  pt  )(1  -  ai  U_x )) 

where  k  j  is  the  frequency  of  the  occurrence  of  state  j  in  a  randomly  chosen  complete 
attack  plan;  g  .  is  the  probability  that  a  user  beginning  an  attack  plan  including  j  actually 
reaches  state  j  (without  being  discouraged,  etc.);  ei  is  the  probability  that  ploy  i  succeeds; 
cj .  is  the  expected  time  added  to  the  plan  by  the  ploy  i  at  state  j;  p  is  the  ratio  of  the 

value  of  a  delay  of  one  unit  of  a  legitimate  user's  time  to  the  delay  of  one  unit  of  an 
attacker's  time;  mi  is  the  probability  the  behavior  observed  so  far  is  part  of  the  attack 

plan  for  which  the  ploys  were  generated;  fix)  is  a  sigmoid  function  between  0  and  1  (we 
used  f(x)  =  x2  /(1 00  +  x2)  in  experiments);  pt  is  the  a  priori  probability  of  the  ploy 
occurring  at  random;  a, ,  M  is  the  association  probability  between  this  ploy  and  the  most- 
similar  previous  one. 

We  used  a  greedy  search  to  choose  the  best  set  of  ploys  since  it  performed  almost  as  well 
as  branch-and-bound  in  test  runs.  That  is,  we  choose  the  best  ploy-time  pair,  then  the 
second  best  of  the  remaining  ploy-time  pairs  after  adjusting  probabilities,  then  the  third, 
and  so  on  until  expected  ploy  time  delays  no  longer  exceed  a  fixed  threshold.  We  use  the 
same  counterplan  for  each  attack  because  consistency  is  important  in  deception.  We 
discovered  with  MECOUNTER  analyzing  the  results  of  the  500  simulation  runs  that  the 
best  way  to  impede  the  root-compromise  plan  was  to  do  22  ploy-state  combinations. 
These  changes  included  some  obvious  ones  (like  faking  general  network  problems  and 
deleting  the  rootkit  after  the  attacker  has  logged  out)  and  less  obvious  ones  (such  as 
issuing  false  reports  that  the  downloaded  files  are  now  recompressed).  In  general,  all 
ploys  proposed  by  MECOUNTER  were  helpful  and  reasonable  for  defense  of  the  system. 

Prototype  design  of  an  intrusion  interception  language  CHAMELEON 

We  also  developed  and  implemented  the  first  version  of  the  rule  language 
CHAMELEON  (Michael,  Fragkos,  and  Auguston,  2003)  for  experiments  with  software 
decoys  in  Red  Hat  Linux  6.2  environment.  The  implementation  is  based  on  the  Linux 
kernel  wrapper  tools  developed  by  NAI  (Ko  et  al,  2000).  This  provides  a  more  general 


approach  to  implementing  deceptions  in  the  form  of  a  tool  to  systematically  modify  large 
software  systems  like  operating  systems. 


This  first  version  of  rule  language  provides  functionality  for  signature-based  intrusion 
detection  and  countenneasures,  like  delay  or  total  blocking  of  kernel  command 
execution,  and  error  message  generation.  Intrusion  signatures  can  be  specified  as  regular 
expressions  over  kernel  subroutine  calls  and  can  involve  also  values  of  input  and  output 
parameters  of  kernel  calls.  The  CHAMELEON  compiler  takes  the  rule  source  code  and 
generates  wrapper  code  in  the  Wrapper  Definition  Language  (WDL)  in  addition  to  a 
script  file  necessary  to  compile  the  WDL  code  into  executable  and  install  and  activate  the 
wrapper  in  the  kernel  space.  The  Appendix  shows  the  formal  syntax  of  the  language. 

Wrapper  Support  System  (WSS)  monitors  install  wrappers  and  creates  a  new  instance  of 
a  wrapper  for  each  process  executed  within  the  system.  Since  event  patterns  can  be 
accompanied  by  actions  written  in  the  C  language,  it  becomes  possible  to  program 
arbitrary  countenneasures  in  response  to  the  detected  intrusion  activities. 

As  an  example,  the  rule  below  detects  a  sequence  of  file  operations,  including  opening 
the  file,  some  read/write  operations,  and  closing  the  file.  Each  event  will  cause  a 
message  to  be  sent  to  the  system-monitoring  log  file  with  the  file  name  involved.  The 
pre  and  post  options  indicate  whether  the  corresponding  action  is  perfonned  before  or 
after  the  matching  kernel  call.  $path  is  one  of  several  predefined  access  variables  that 
provide  values  of  kernel  call  parameters. 

/*  simple  rule  example  */ 

R1  : 

detect 

open  pre  {  wr_printf("open  file  %s",  $path)  ;  } 

(  read  pre  {  wr_printf("read  file  %s  ",  $path);  }  | 

write  pre  {wr_printf("write  file  %s  ",  $path);}  )  * 
close  post  {  wr_printf(  "file  %s  closed",  $path);  } 

Besides  executing  arbitrary  C  code,  the  actions  perfonned  by  wrapper  rules  may  include 
two  simple  primitives:  DENY,  which  will  prevent  execution  of  corresponding  kernel  call, 
and  DELAY(N),  which  delays  execution  of  kernel  call  by  N  milliseconds. 

The  CHAMELEON  framework  supports  signature-based  intrusion  detection  and  a  basic 
countermeasures  mechanism.  Future  work  includes  an  extension  to  accommodate 
anomaly-based  statistical  methods  for  detecting  system  misuse.  One  idea  we  are 
exploring  is  to  use  a  third-party  intrusion  detection  system  that  communicate  with  the 
wrappers  (Monteiro,  2003),  which  appears  a  promising  way  to  cut  development  costs 
significantly. 


Run-time  monitoring  of  Knowledge  Temporal  Logic  specifications 


Another  aspect  of  our  research  is  modeling  the  time  sequence  of  events  in  deceptions  and 
attempts  to  foil  them.  We  have  found  temporal  logic  quite  useful.  (Pnueli,  1977) 
suggested  using  Linear-Time  Propositional  Temporal  Logic  (LTL)  for  reasoning  about 
concurrent  programs.  LTL  is  an  extension  of  propositional  logic  where,  in  addition  to  the 
well-known  propositional  logic  operators,  there  are  four  future-time  operators  (0- 
Eventually,  '"’-Always,  U-Until,  O -Next)  and  four  dual  past-time  operators.  (Fagin  et  al, 
1995)  developed  a  general  framework  for  modeling  knowledge  and  computation  and 
apply  it  towards  reasoning  about  knowledge  in  distributed  systems.  This  framework, 
which  we  refer  to  as  knowledge  logic,  is  based  on  propositional  modal  logic. 

A  card-game  example  was  introduced  in  (Fagin  et  al,  1995).  It  consists  of  two  players  (1 
and  2)  and  three  cards  (A,  B  and  C).  Each  player  takes  one  card  and  the  third  card  is  left 
face  down  on  the  table.  A  possible  world  is  described  in  the  formal  model  by  the  cards 
that  the  players  hold.  If  player  1  holds  A  and  player  2  holds  B  we  denote  the  world  as  (A, 
B).  Hence  there  are  six  possible  worlds  (A,  B),  (A,  C),  (B,  A),  (B,  C),  (C,  A)  and  (C,  B). 
Now  if  the  player  1  has  card  C  then  he  clearly  thinks  that  there  are  two  possible  worlds, 
one  where  player  2  holds  card  A  and  in  the  other  where  player  2  holds  card  B.  The 
model  is  represented  visually  in  Figures  2  and  3. 


< WORLD  NAME="AB"> 

<PL  CODE="playerlHasA"  TRUTH="1"  /> 

<PL  CODE="playerlHasB"  TRUTH="0"  /> 

<PL  CODE="playerlHasC"  TRUTH="0"  /> 

<PL  CODE="player2HasA"  TRUTH="0"  /> 

<PL  CODE="player2HasB"  TRUTH="  1 "  /> 

<PL  CODE="plaVer2HasC"  TRUTH="0"  /> 

Figure  3:  Representation  of  the  world  AB  in  the  card  games’  knowledge  file. 
Run-time  Monitoring  of  KTL 

Run  time  Execution  Monitoring  (REM)  is  a  class  of  methods  of  tracking  temporal 
requirements  for  an  underlying  application.  Of  particular  interest  are  on-line  REM 
methods  where  temporal  rules  are  evaluated  without  storing  an  ever-growing  and 


potentially  unbounded  history  trace.  (Drusinsky,  2000)  and  (Drusinsky  and  Shing,  2003) 
describe  the  DBRover  and  Temporal  Rover  REM  tools.  These  tools  support  REM  and 
simulation  of  properties  written  in  LTL  (future-time  and  past-time)  with  counting 
operators,  as  well  as  real-time  and  time-series  constraints.  We  have  extended  the 
specification  language  used  by  these  tools  with  two  new  operators,  knows  (K)  and 
believes  (B).  In  addition,  the  user  specifies  a  possible  worlds  model,  such  as  in  Figure  2, 
using  an  XML  knowledge  file.  The  Rover  tools  assume  that  agent  relations,  such  as  the 
Figure  2  relation  (<C,B>,<C,A>,  player-1),  are  transitive.  The  end  user  can  select 
whether  the  agent’s  relation  is  reflexive  and  symmetric,  though  we  have  only 
experimented  with  a  full  equivalence  relation. 

Consider  the  KTL  rule  for  the  card  game:  R  i  =0<3 K  i  K2IH<2  {player! I lasCardB  v 
player  1  HasCardC) ,  i.e.,  Rj  states  that  "within  three  cycles  player- 1  will  know  that 
player-2  knows  that  for  two  consecutive  cycles  player- 1  has  card  B  or  C."  When  the 
Rover  tools  monitor  rule  Ri  they  repeatedly  read  a  stream  of  propositional  statements 
about  the  status  of  each  player.  In  the  implementation  of  the  card  game  demo  we  chose  to 
represent  each  such  reading  as  a  6-tuple  <player\HasCardA,  playerXHasCardB . . . 
player2HasCardC> ;  the  reading  of  a  new  tuple  constitutes  a  cycle  from  the  temporal 
perspective.  The  domain  of  propositions  in  the  input  stream  (six  propositions  in  our  case) 
and  the  domain  of  propositions  in  the  possible  worlds  model  are  related  by  knowledge 
file  which  assigns  a  truth  value  to  propositions  in  each  world.  Listing  1  contains  the 
specification  of  the  world  AB  in  knowledge  file  for  the  card  game. 

Consider  the  following  sequence  of  readings  (i.e.,  cycles),  where  XT  represents  the  world 
where  player- 1  has  cardXand  player-2  has  card  7:  a=AB.AC.BC.BA.  Consider  for 
example  world  AB,  which  is  the  world  of  cycle  0.  Using  the  possible  worlds  model  of 
[FHMV],  AB  |-  Ki  p  if  p  holds  in  all  worlds  that  are  equivalent  to  AB  for  player- 1,  i.e.,  in 
worlds  AB  and  AC.  AB  |-  p  i.e.,  AB  |-  K2  (p  if  (p  holds  in  all  worlds  that  are  equivalent  to 
AB  for  player-2,  i.e.,  in  worlds  AB  and  CB.  However,  player lHasCardB  v 
player lHasCardC  is  not  true  in  world  AB.  Hence  the  monitoring  result  for  Ri  in  cycle  0 
is  false.  Consider  the  world  for  cycle  2,  namely  BC.  p=  K2  (p  must  hold  in  both  (i)  BC  and 
(ii)  BA.  For  (i)  (p  must  hold  in  BC  and  AC,  and  for  (ii)  (p  must  hold  in  BA  and  CA.  One  of 
those  four  worlds,  AC,  does  not  satisfy  player  lHasCardB  v  player  lHasCardC  resulting 
for  Ri  in  cycle  2  is  false. 

Consider  the  slightly  modified  rule  R2=0<3BiK2D<2  {playerXHasCardB  v 
playerXHasCardC} .  Using  the  same  input  sequence  a,  we  examine  R2  for  the  world  for 
cycle  2,  namely  BC.  p=  K2  (p  must  hold  in  either  (i)  BC  or  (ii)  BA,  where  (i)  and  (ii)  are 
described  above;  case  (ii)  holds  in  cycle  2.  The  world  for  cycle  3  is  BA  where  p=  K2  (p 
must  hold  in  either  (i)  BC  or  (ii)  BA,  which  is  identical  to  cycle  2.  Hence,  p  holds  for  two 
consecutive  cycles  starting  in  cycle  2;  therefore  R2  is  true. 

Modeling  the  WWII  "Man  Who  Never  Was  "  Deception  Ploy 

Let  us  apply  this  to  a  classic  military  example  from  (Dunnigan  and  Nofi,  2001).  In  the 
spring  of  1943  the  Allies  began  to  consider  options  for  the  invasion  of  Europe. 


Strategically  located  in  the  Mediterranean,  Sicily  was  a  good  target.  However,  due  to 
various  obstacles  facing  the  Allied  command  it  was  decided  to  not  invade  Sicily  but 
rather  to  form  a  complete  set  of  fake  plans  for  another  invasion  site  and  time  and  then 
convince  the  Germans  of  this  plan.  A  plan  named  “Operation  Mincemeat,"  was  created 
in  which  a  British  spy  would  be  “captured”  with  the  false  documents.  This  spy  was 
Major  Martin,  a  corpse.  Martin  was  provided  with  false  papers  in  a  briefcase  attached  to 
his  body  to  give  a  false  view  of  when  and  where  the  invasion  would  occur.  A  30-year- 
old  pneumonia  victim  who  had  recently  died  and  who  resembled  a  typical  staff  officer 
was  chosen  as  Major  Martin.  The  fluid  in  his  lungs  would  suggest  that  he  had  been  at  sea 
for  an  extended  period.  Fake  love  letters,  overdue  bills,  and  a  letter  from  the  Major’s 
father,  and  some  personal  belongings  were  put  on  his  corpse.  Martin’s  obituary  was  in 
the  British  papers,  and  his  name  appeared  on  casualty  lists.  Major  Martin  was  taken  to  a 
point  just  off  the  coast  of  Spain  where  the  Allies  knew  the  most  efficient  German  military 
intelligence  network  was  in  place,  put  in  a  lifejacket,  and  set  adrift.  The  body  soon 
washed  ashore  practically  at  the  feet  of  a  Spanish  officer  conducting  routine  coastal 
defense  drills.  He  notified  the  proper  authorities,  which  notified  the  Germans.  On  the 
return  of  Major  Martin’s  body  to  England,  they  discovered  that  his  briefcase  had  been 
very  carefully  opened,  then  resealed.  The  Germans  had  photographed  every  document  on 
Martin’s  body  and  in  his  briefcase,  then  released  him  to  the  Spanish  authorities  for  return 
to  England,  for  the  English  authorities  had  been  demanding  return  of  Martin’s  body.  One 
additional  less  known  fact  is  that  during  the  time  that  the  leading  German  coroner  was  in 
Spain  during  when  the  Spanish  found  Martin’s  body.  The  German  coroner  was  capable 
of  uncovering  the  real  cause  of  death,  pneumonia.  However,  as  it  happened  the  dots  were 
not  connected  and  this  coroner  did  not  examine  Major  Martin’s  body. 

The  logic  representation  of  the  "Man  who  never  was"  deception  ploy  is  concerned  with 
all  possible  worlds  seen  by  the  three  agents,  the  British,  the  Gennans,  and  the  Spanish. 

We  define  the  following  three  Boolean  propositions,  which  together  induce  a  space  of 
eight  possible  worlds: 

•  H-  represents  possible  worlds  where  Major  Martin  episode  is  a  deception. 

•  G-  represents  possible  worlds  where  the  Gennan  coroner  is  in  Spain  and  is 
working  on  the  case. 

•  M-  represents  possible  worlds  where  Major  Martin  drowned. 

Hence,  for  example,  wl  =  <H,  ->G,  -M>  is  the  possible  world  where  the  Major  Martin 
episode  is  a  deception,  the  German  coroner  is  not  in  Spain,  and  Major  Martin  did  not 
drown.  This  is  the  possible  world  the  British  considered  they  were  in,  but  in  fact,  they 
were  unable  to  distinguish  between  this  world  and  w2  =  <H,  G,  -M>  and  could  have 
very  well  been  in  world  w2.  As  in  the  card  example  of  Figure  2,  KL  relations  are  used  to 
aggregate  worlds  an  agent  is  unable  to  distinguish.  Figure  4  illustrates  the  KL  model  for 
the  "Man  who  never  was"  deception  ploy. 


Figure  4:  The  KL  model  for  the  "Man  who  never  was"  ploy,  where  B=British, 

D=German,  S=Spanish. 


Deception  and  the  law 
Response  to  attacks 

In  addition  to  the  technical  aspects  of  realizing  cyber-based  deceptions,  we  are  investigating  social 
aspects,  in  particular  those  relating  to  conducting  deception  within  the  confines  of  the  law.  For  instance, 
(Michael,  Wingfield,  and  Wijesekera  2003)  demonstrated  how  the  Schmitt  Analysis  (Schmitt,  1998)  can 
be  used  to  perform  an  academically  rigorous  evaluation  of  the  factors  affecting  a  lawful  response  to  a 
terrorist  attack,  regardless  of  whether  the  attack  is  effected  via  kinetic  or  cyber  means.  Schmitt  Analysis 
is  not  intended  to  provide  a  mechanical  algorithm  for  solving  what  are  some  of  the  most  technically  and 
legally  challenging  questions  we  face;  instead,  it  is  designed  to  be  a  useful  framework  for  analyzing  the 
effect  of  key  factors  on  the  legal  nature  of  an  attack  and  the  appropriate  response.  As  such,  it  provides 
an  invaluable  tool  for  clarifying  thought  and  highlighting  areas  of  misunderstanding  or  disagreement.  It 
is  an  excellent  basis  for  training  lawyers,  technologists,  and  decision  makers  in  government.  Finally, 
Schmitt’s  methodology  shows  the  way  for  parallel  efforts  to  make  more  rigorous  and  more  transparent 
the  legal  analyses  in  neighboring  areas. 

Misuse  of  deception 

Cyber  decoys  provide  a  means  for  automating,  to  a  degree,  counterintelligence  activities  and  responses 
to  cyber- attacks.  Like  other  security  mechanisms  for  protecting  information  systems,  it  is  likely  that 
cyber  decoys  will  in  some  instances  be  misused.  In  the  United  States,  criminal  law  provides  us  with 
analogies  for  preventing  or  punishing  improper  state  use  of  deception,  and  criminal  and  civil  law  give  us 
a  range  of  tools  to  use  against  private  actors.  However,  in  addition  to  states,  nongovernmental  entities 
and  individuals  can  employ  cyber  decoys.  (Michael  and  Wingfield,  2003)  presented  a  principled 
analysis  of  the  use  of  cyber  decoys,  in  which  they  explored  the  absolute  minima  in  terms  of  customary 
principles  for  what  might  be  considered  to  be  acceptable  use  of  deception. 

According  to  (Michael  and  Wingfield,  2003),  software  decoys  can  be  used  as  an  airlock  between  the 
technology  and  the  law  in  that  the  decoys  can  be  programmed  with  a  wide  spectrum  of  options  for 


taking  action.  Software  decoys  provide  for  anticipatory  exception  handling.  In  other  words,  the  decoy 
anticipates  the  types  of  inappropriate  interaction  between  itself  and  processes  or  objects  requesting  its 
services,  providing  in  advance  a  set  of  rules  for  learning  about  and  evaluating  the  nature  of  the 
interaction,  in  addition  to  rules  for  response.  One  could  envision  developing  policy  that  places 
boundaries  on  the  extent  and  type  of  deception  to  be  employed,  but  providing  some  degree  of  latitude  to 
the  user  of  decoys  to  inject  creativity  into  deceptions  so  as  to  increase  the  likelihood  that  the  deceptions 
will  be  effective.  The  boundaries  could  be  used  to  delineate  the  thresholds  that  if  breached  could  result 
in  the  misuse  or  unlawful  use  of  decoys.  That  is,  principled  analysis  can  be  used  to  meet  all  domestic 
legal  criteria,  and  set  absolute  minima  in  terms  of  the  four  customary  principles  of  discrimination, 
necessity,  proportionality,  and  chivalry. 

The  U.S.  Department  of  Homeland  Security  will  be  responsible  for  coordinating  the  protection  of  both 
public  and  private  cybernetic  property  using  cyber  weapons.  There  are  gray  areas  in  the  law  regarding 
how  to  coordinate  counterintelligence  activities  and  countermeasures  that  need  to  take  place  at  the 
intersection  of  law  enforcement,  intelligence  collection,  and  military  activity.  Principled  analysis  can 
help  here  too,  but  public  policymakers  will  need  technically  and  legally  sophisticated  advice  to  manage 
the  best  technological  defense,  including  deception  techniques,  available  within  the  framework  of  the 
law. 

Tools  and  support  for  education 

We  have  been  working  from  two  different  but  complimentary  areas:  lawful  use  of  software-based 
deception  (Michael  and  Wingfield,  2003),  and  cyber  law  (Wingfield,  2000).  To  this  end,  we  are 
developing  case  studies,  with  the  aid  of  some  automated  tools,  to  teach  officials  from  the  law 
enforcement,  intelligence,  and  military  communities  how  to  reason  about  the  legality  of  responses  to 
terrorist  attacks.  With  appropriate  training,  information,  and  analysis  (both  automated  and  with  man-in- 
the-loop),  it  will  be  possible  to  reduce  the  “gray  area”  of  legal  uncertainty  to  a  minimum,  and  allow  the 
most  complete  range  of  effective  responses  against  those  who  attack  a  nation’s  critical  infrastructure. 

(Farkas  et  ah,  2004)  reports  development  of  THEMIS,  the  Threat  Evaluation  Metamodel  for  Information 
Systems.  THEMIS  is  a  description  logic-based  framework  to  apply  state,  federal,  and  international  law 
to  reason  about  the  intent,  with  respect  to  collateral  consequences,  of  computer  network  attacks.  The 
purpose  THEMIS  is  intended  to  serve  is  to  provide  law  enforcement  agencies  and  prosecutors  with 
automated  tools  for  building  legally  credible  arguments,  and  for  network  designers  to  keep  their 
defensive  and  retaliatory  measures — including  the  use  of  deception  mechanisms — within  lawful  limits. 
THEMIS  automates  known  quantitative  measures  of  characterizing  attacks,  weighs  their  potential 
impact,  and  places  them  in  appropriate  legal  compartments. 
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Appendix:  The  syntax  of  CHAMELEON  rule  language 

Rule::=  Rulename  detect  Event  sequence 

Event_sequence::=  (+  Event_pattem  +)  | 

'('  Event_sequence  ’)'  [('*'!  '+'  !  '?’)  ]  | 

'('  Event_sequence  (  '|'  Event_sequence  )+  ')' 

Event_pattem::=  Event  type  [  probe  Condition  ]  [  pre  Actions  ]  [  post  Actions  ] 

Condition:^  '('  C  expression  ')' 

Actions:  :=  Action  *  '}' 

Action:  :=  DENY  |  DELAY  '('  number_of_msec  ')'  |  C_operator 
Event_type::=  ANY  |  kernel_subroutine_name 

Rule  name  ::=  identifier 

Notes: 

•  Conditions  and  actions  may  include  references  to  the  kernel  call  parameters,  like  $path. 

•  The  current  wrapper  system  can  monitor  approx.  150  kernel  subroutine  names. 

•  Actions  can  be  perfonned  just  before  (pre)  or  after  (post)  the  detected  event. 

•  The  probe  condition  provides  for  additional  context  checking  when  the  event  is  detected. 


Research  on  deception  in 
defense  of  information 

systems 

Neil  C.  Rowe,  Mikhail  Auguston, 
Doron  Drusinsky,  and  J.  Bret  Michael 
U.S.  Naval  Postgraduate  School 
ncrowe@nps.edu 


The  Software  Decoy  Project 

□  Funded  by  the  Department  of  Homeland  Security  and 
other  agencies 

Tailoring  classic  military  deception  for  defending 
computer  assets 

Goal  is  to  provide  a  second  line  of  defense  beyond 
access  controls,  which  is  especially  useful  for  insider 
attacks 

Key  parts  of  the  project: 

Theory  of  deception  for  information  systems 

Simple  testbed  deceptive  software  and  ways  to 
attach  it  to  operating  systems  and  applications 

Temporal  reasoning  in  deception 
Legal  issues  in  software  deception 
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Example:  A  fake-directory  interface 


Directory  of  /root 

* 

12/24/00  11:44  <DIR>  %7Eradlab 

12/14/91  21:56  <DIR>  jPAOj 

05/02/01  06  14  <DIR>  Sumroer2QQ2 

02/23/02  23  39  17  announcement  apnl  02  2002  pictureOl  html 

09/25/95  03:41  <DIR>  d| 

05/03/95  23:27  <DIR>  ece 
11/04/94  10:40  114  event?  htm 
12/24/98  12:25  <DIR>  fsoa 
08/02/96  11:49  <DIR>  is2020  Net  zs 
05/01/96  02:04  <DIR>  mosc 
03/09/94  22:36  <DIR>  oc4213 
11/13/96  21  50  89  oldie  htm 
07/28/94  04:52  <DIR>  or 
04/01/96  16  20  <DER>  outdoors 
12/26/93  2049  <DIR>  profiler 
12/12/01  16:21  24  proiecttcx  html 
08/16/00  10:22  <DIR>  sgs 
08/12/00  15:10  104  weatfaer.html 
08/27/00  20:46  <DIR::>  wecs5-tut 
05/00/96  20:38  <DIR>  -braccio 
04/27/00  17  09  <DIR>  -brutzman 


■J-*  Back  *  ^  4  ^Search  JJ  Favorites  Media  £  L^»  " 

Address  |  <£]  http:/Ar*on.cs.nps.navy.mi:8080/servlet/rowe,FDIr?Dlrectory»/root^ 

Links  ^Customize  LWu  qj free  Hotmail  cj  Windows  ** 


□  □PD* *„%[DaybiK~#DOOd#e]pPZN>n%  I  http : //www .  microsof  t .  com/isapijr 
=mDDQ$RDrbD\D4Dn\5'|(Don7  3D$HrwDP\{tD-[DDDDp+UD5- 
\0)  0  □  ocA>pRZ~HzD  2  U!  0  □  9oqD  □  ?  YmD  ,I8-py\D  □  □  QT\G 

jDS  86fO,!UZmDxOmDDDc’8nAywjIW  aoVr2Db=y/2QHO&"l$Yw 
-1A)  □EKAkDfiTWW/%  SOp 

(□+DVMzQ>@DDDK>DJYUA30DPDrDDDQ_DDn~MD0DIM 
P  J13=lNDD'07’lo@8'DHD  G<  luO’qp  $oDDDQ|  DRE  J 

□  w|D  >$lDb9]0 □  □  0  □  W  IDBaMjJs&{)6=E'FL"l|D=0  □  □  DwF 

□  DAmD+P  I%mkV  W(DrUoK9 

•  8MOSw7VnA2HdDNm9RjGqD  □  □)aDNDd9nrGN% 
yvE&W  □  k#mQ  □  ]  □  i 

'nqx8<&/0X+DeDMzemQ'DmaDm'DtD0D,d4#'fD''Z~O)e} 

D0"xD  □LJladDx|#rD%,[CD  □  □lc%p-DTDG"o=wLDH=6D ! 

W=qy"DD(d<  (dD%ixK0~0*%<-u-  pDDKDDU<SX:DODVB\? 
PlD8TGG/C_vg4/msPU,/voDR#&h&qoLEg7yEHw}qDM3w(vlmd- 
|0I$m  t2,:%,+  P\Vo!Dd)i8#JylWOpDDYDr#8D[D 
□JOC|DDOHgWSJ)JHxoGN  lrjb  o\D3)  D0KH[(Y 
HDSODIWo’AhO  t  □□w=ADDn{q/'D(lDDDZ|DD?{"Di[7ADE% 
(iqe8yDrDTIDAv<D6(lD.&GD08rA)  a>D+ixw4a=D20zL“- 
lZJk@ZhzDD_ClDzoDD&UV8DY>~DM5h5x'A,(&  q'Dx}/2) 
□N8DsH#ODKDr?DU-4co^ODeH?tD4nDYo] 
rluDwOPlf4DgOP8m\|DiS-  ,'IM  J]DRl&{~]0q  S  {(7*%-Gp$~ B) 
gu;l!>DDaVOUtD&A,k=\eDvODO>dD?xhD_3D\cStD=Pl{! 
VFqkaD4DSDTJDN{DWDOXT}h)D>dq*DBWi  Z  D-”4vX)- 
y/DD%P'  p]D  □□~Db9DDK6a*]A)D0~7D\]*  lS?>{{y 
4cSj9  D3D=HP  &D3hD(HDioStMD[DuP8DnD/~SDjltObDDz 
(ISjYDUdAOZ]br2RDyVDO  vDDO"L)pbwDp$ 

□LDAa)  nXJD8OKM4DD05U+KB'YDgy  -|js5"PN?tlETA$D  -j  3 


Example  random-context  data  from  the  fake  directory 


3  http://triton.cs.nps.navy .mil:8080/servlet/rowe.FDir?Directory=/root/Code0S/WAT/policy/0ld_page  -  Microsoft  Internet  Explorer 


IB  Start  | 

J  ^  ^  fi  0 

11:08AM 

J 

_J C : \decoy\deceptheo  |  @]decoy_cats_0‘».do...||^]http://triton.cs.n... 

^  Inbox  -  Microsoft  Q...| 

@]fdir screenshots.d...  | 

© 


Done 


azoresO  l/anes2  jpg 


_ _ _ _ m _ u«>nC _ _ _ _ i _ _ _ ;i  u. _ t 


4-*  Back  -  ^  ^  j2|  ^3  Search  Favorites  /jfMedia  £  J  8  •  I 


Address  g]  we.FDir?Directory=/root/Code05/WAT/policy/Old j>ages/23JVdvancesNonPhotoRealisticRendering/ma/Locations/NavalPostgraduateSchool/images/aries_thurnbnail.html8dsDir=48  f^Go 


Links  gj Customize  Links  gj Free  Hotmail  gj  Windows  /fK  Free  AOL  &  Unlimited  Internet  Q)  RealOne  Player  _|  Windows  Media  _J  personal 


IS  &  sa  ij 


Example  simple  cyber-attack  plan  for  a  rootkit 


Example  ploy:  Delete  admin  authorization  +  log  out 


secureport  secureport  secureport 


Software  wrappers  for  deception 


For  a  deception  defense  to  be  effective,  it  is  good  to 
distribute  it  across  many  features  of  an  operating 
system  —  like  "antibodies". 

We  are  building  tools  to  automatically  modify 
software  to  insert  "wrappers"  around  key  code;  the 
wrappers  can  apply  deception  when  their  suspicions 
are  aroused. 


General  decoy  architecture 


Operating  system 


Wrapper 


Component  1 


Component  2 


Applications 
software  1 


Wrapper 


Component  3 


Applications 
software  2 


Component  4 


Decoy  supervisor 


Decoying  rules 


Example  deception  rule  for  a  software  wrapper 

•  This  detects  opening  a  file,  read/write  operations,  and 
closing  the  file. 

•  Each  event  cause  a  message  to  the  system  log  file. 

•  The  pre  and  post  indicate  whether  the  action  is  done 
before  or  after  the  matching  kernel  call. 

•  $path  provides  values  of  kernel  call  parameters. 

•  Besides  executing  code,  wrapper  rules  may  prevent  or 
delay  execution  of  a  kernel  call. 

R1  :  detect 

open  pre  {  wr_printf("open  file  %s",  $path) ;  } 

(  read  pre  {  wr_printf("read  file  %s  ",  $path);  }  | 
write  pre  {wr_printf( "write  file  %s  ",  $path);}  )  * 
close  post  {  wr_printf(  "file  %s  closed",  $path);  } 
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Timing  in  deceptions 

Deceptions  involve  sequences  of  activities  in  time. 

In  some  deceptions,  the  timing  of  these  activities  is 
critical. 

Since  people  have  difficulty  reasoning  about  time,  it 
is  helpful  to  formalize  complex  activities  for 
computer  analysis. 

We  use  "KTL",  knowledge  temporal  logic. 
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Knowledge  Logic 

Cards  Game 


1 


<A,B>  |=  Knows  player2  player  lhasCardA .....  - 


Statement  must  be  true  in  ail 
worlds  possible  for  player2 
when  in  <A,B> 


False ,  because  in  C,B- 
player  lhasCardA  =  false 
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KTL:  Monitoring  -  static  possible  worlds  model 


player  1  Has  A 
player2HasB 


Static 
model  of 
possible 
orlds 


i 


(A,  B)  - 
2  /  1 


CC,  B) 
1 


CC,  A) 


player  lHasC 
player2HasA 


DBRover 

Monitor 


(A,  Cf> 

\2 

CB,  CO 

1 

CB,  A) 


< WORLD  NAME="AB"> 

<PL  CODE-'playerlHasA"  TRUTH="  1 "  /> 
<PL  CODE="playerlHasB"  TRUTH="0"  /> 
<PL  CODE-'player lHasC"  TRUTH="0"  /> 
<PL  CODE="player2HasA"  TRUTH="0"  /> 
<PL  CODE="player2HasB"  TRUTH="1"  /> 
<PL  CODE="player2HasC"  TRUTH="0"  /> 
</WORLD> 

True, 
false, 
true, 
false, 
false! 
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KTL:  Monitoring 


DBRover-Pro:  c:\dbrover\release\ex 


E 

File  Edit  Help 


D 

2 

X 

✓  Monitor  (sock) 

^  Rule  Editor 

~hJ.  Build  and  Run  Verification  Server 

Admin 

/  Sim.  EPaX 

^  TLChart  Monitor 

✓  Rule:0 


DBRover  Verification  Results  for  Rule:  cardl  1 9 


Feb  17,  2004  11:47:28  AH  ->  Done 

Feb  17,  2004  11:47:28  AH  ->  Done 

Feb  17,  2004  11:47:28  AH  ->  Done 

Feb  17,  2004  11:47:28  AH  ->  Success 

Feb  17,  2004  11:47:26  AH  ->  Success 

Feb  17,  2004  11:47:25  AH  ->  Success 

Feb  17,  2004  11:47:24  AH  ->  Success 

Feb  17,  2004  11:47:22  AH  ->  Fail 

Feb  17,  2004  11:47:12  AH  ->  Fail 


[player lHasC=T,playerlHasB=F] 
[player lHasC=T,playerlHasB=F] 
[player lHasC=T,playerlHasB=F] 
[player lHasC=T,playerlHasB=F] 
[player lHasC=F,playerlHasB=T] 
[player lHasC=F,playerlHasB=T] 
[player !HasC=F,playerlHasB=F] 


Hide  Rule  Tree 


m 


Qlempor 


Reset  Rule 


R  cardl  19 

Eventually 

. Constraint:  Time  <=  7 

e-St  playerl  Believes 
&  a  player2  Knows 
B  ;;{♦  Always 

Constraint:  Time  <=  2 
1=1  1 1  Or 


KTL:  Simulation 


m 


File  Edit  Help 


D 


□ 

Mi 


X 


j  p  Monitor  (tcpiip)  ^  Rule  Editor  'i;l  Build  and  Run  Verification  Server  ^  Admin  y  Sim.  |  M  PaX  W  TLChart  Monitor  | 


cardl  1 9 


1 

A 

Delete  RT  Segment 

V 

0 

h+  split  RT  Segment 

Simulate 


Hide  Rule  Tree 


Lt^:  Variables  J 


Rule  Result  Sequence 


player!  HasC 


player!  HasB 


player!  HasA 


1  1  0  0  0  0  0  [i  0  9  0  0  0  0  0  0  0  0  G  0 


player2HasC 


player2HasB 


player2HasA 


Cycle  No 


Simulated  lime 


0  III  1  1  1!  t!  1!  1!  1!  1!  t  1  1!  t!  ||  l!  l!  l!  l!  l! 


o  0  o  o  o  o  o  [i  o  o  o  o  in  ci  o  o  o  o  o  o 


0  0  i  1  1  1  1  1  0  0  0  0  0  0  0  0  0  0  0  0 


9  1  I  0  0  0  0  G  0  0  0  0  0  0  0  0  0  0  0  0 


1  0  0  0  0  0  G  D  0  0  O  O  0  0  0  Cl  0  0  G  0 


0  0  0  1  1  1  1  1  0  0  0  0  0  0  0  0  0  0  0  0 


£11  2  3  4  5  6  7  8  9  1  1  1  1  1  1  1  1  1  1 

0  1  2  3  4  5  6  7  8  9 


-© - •] 

60  Seconds 


Temporal  Rule  tree  for 


- 


R  cardl  19 
E  1 4'+ Eventually 

Constraint:  Time  ==  7 
E  playerl  Believes 
player2  Knows 
E!  iii*  Always 

Constraint:  Time  ==  2 
E  il  Or 

x==i  Basic:  playerl  HasB 
x==!  Basic:  playerl  HasC 


Kripke  model  for  the  "Man  Who  Never  Was" 


This  gives  all  possible  worlds  seen  by  the  three  agents,  the  British,  the  Germans,  and 
the  Spanish.  We  define  the  following  three  Boolean  propositions,  which  together 
induce  a  space  of  eight  possible  worlds:  H-  represents  possible  worlds  where  Major 
Martin  episode  is  a  deception:  G-  represents  possible  worlds  where  the  German 
coroner  is  in  Spain  and  is  working  on  the  case;  M-  represents  possible  worlds  where 
Major  Martin  drowned. 

Hence,  for  example,  wl  =  <H,  — iG,  ^M>  is  the  possible  world  where  the  Major  Martin 
episode  is  a  deception,  the  German  coroner  is  not  in  Spain,  and  Major  Martin  did  not 
drown.  This  is  the  possible  world  the  British  considered  they  were  in,  but  in  fact, 
they  were  unable  to  distinguish  between  this  world  and  w2  =  <H,  G,  ^M>  and  could 
have  very  well  been  in  world  w2. 


Legal  issues  in  software  deception 

Deception  applied  by  a  government  is  limited  by  law 
and  policy,  the  former  of  which  can  be  represented  by 
mechanical  rules. 

The  policy  (latitude  with  which  to  apply  the  law)  is 
not  readily  amenable  to  full  automation,  but  we  are 
developing  decision-support  tools  for  assessing 
deception  options. 

An  area  in  which  this  is  critical  is  defense  against 
cyber-terrorism. 

We  developed  THEMIS,  a  threat  evaluation 
"metamodel"  for  information  systems  that  organizes  a 
legal  case  against  computer  network  attacks. 
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